Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

""C:\WINDOWS\system32\guard.tmp,"UMonito

dankwd

Posted 03 February 2005 - 10:42 PM

dankwd

New Member

Member

5 posts

First, I will say Thank You in advance! I have had problems with my cpu for about 3 weeks now and I have posted to other forums with only minimal help. I was told to uncheck items I didn't need in my startup menu. So I have unchecked:

But, of course I still have pop-ups from IE even when I don't have it open and am using Firefox like: http://isg04.casalem...V2/40250/41950/ and http://adopt.hotbar....sz=pop&rnd=7838 , my recycle bin does not allow me to choose the property to not automatically delete items, difficulty with printing and I have had desktop configurations changed like what items are to the right of my start at the bottom left-hand of my cpu screen (on the toolbar).

I think this had all to do with googling AIM buddy icons and d/l an icon from one of the websites which I thought was funny and ended up being a viral/spyware/popup/bug. I immediately ran Spybot, Adaware, and HiJackthis to rid of bug to no avail. When I couldn't connect to the internet and my cpu was randomly restarting I knew I was dealing with something bigger than I expected. I got rid of the restarting problem somehow and I called Microsoft technical support who got me back online with the {netsh winsock reset} command prompt. I then went into safe mode and tried to delete my temp. files in my documents and settings for all users and in my Windows folder. Some of the items in those temp. folders are listed above and were not removed when purging like: 3HedR, erWoMRNr0, and KS which are listed twice in my startup configuration menu for some reason. Other items like the dolsp.dll I got rid of with LSP-fix in safe mode.

So, I followed your steps for new users and ran Spybot but cannot delete items:IGetNet, Common hijacker, CoolWWWSearch.BootConf, CoolWWWSearch.Loadbat, CoolWWWSearch.Msconfd, CoolWWWSearch.Oslogo, CoolWWWSearch.Tapicfg, CoolWWWSearch.Xmlmimefiler, but could immunize some 'bad products'. I could not get CWShredder to work without having Windows, 'encounter a problem' and have to close it before fixing anything.

I then ran Adaware and it cannot delete these items shown here in its logfile:

When trying to remove the 22 items (that I know will be there on the next scan) it shows that the following object cannot removed and this changes its path after each reboot: C:\WINDOWS\system32\jt8m07l1e.dllThe option to have the program scan automatically upon startup to delete this does not work. Other paths I've gotten in the past have been: C:\WINDOWS\system32\gpa2135ol.dll and C:\WINDOWS\system32\guard.tmp.dll

AVG did not find anything although on previous scans it has found the Java BYTEVER.A virus in my users C:\documents and settings\application data folder. Trend Housecall's scan found the Java BYTEVER.A virus in the C:\documents and settings\application data folder in 3 places and could not remove these items because they were 'embedded'. I have tried removing these manually in Safe mode but they came back. When rebooting the following error (that I put as my topic title) window pops up upon startup: Run DLL error""C:\WINDOWS\system32\guard.tmp, "UMonitor"

Then another error window pops up when running Spybot and Adaware shown here:Data Execution PreventionRun a dll as an app

Posted 04 February 2005 - 04:22 AM

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is F0A7-819C

Guest_thatman_*

Posted 04 February 2005 - 07:19 AM

Guest_thatman_*

Guest

Hi dankwd

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread.Along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ****************************************************************************REGEDIT4

4) Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

dankwd

Posted 04 February 2005 - 12:51 PM

dankwd

New Member

Topic Starter

Member

5 posts

Thanks again Kc you've been a HUGE help!

I could not find the C:\WINDOWS\system32\n20050308.exe (which I guess means I am not infected with it ) and Housecall found 4 viruses:JAVA BYTEVER.A (listed 3 times) and JAVA OPENSTR.A which it could not delete because it could not access them in my C:\Document and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0 folder.

Guest_thatman_*

Posted 06 February 2005 - 02:02 AM

Guest_thatman_*

Guest

Hi dankwd

Congratulations! Your system is CLEAN

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click HereQUOTEPrevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restrict the actions of potentially dangerous sites in Internet Explorer.Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

After doing all these, your system will be thoroughly protected from future threats.